initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/burneye2/morph.c
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 324 insertions, 0 deletions
diff --git a/other/burneye2/morph.c b/other/burneye2/morph.c
new file mode 100644
index 0000000..3fcc71c
--- /dev/null
+++ b/other/burneye2/morph.c
@@ -0,0 +1,324 @@
+/* morph.c - burneye code morphing functionality
+ *
+ * by scut
+ */
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <common.h>
+#include <ia32-decode.h>
+#include <ia32-function.h>
+#include <morph.h>
+/*** static prototypes
+ */
+static void
+morph_br_fix_front (morph *mr, ia32_function *func, ia32_bblock *br);
+static void
+morph_br_fix_inst (ia32_function *func, ia32_bblock *br, int endbr_num);
+static int
+morph_func_sort_2 (void *e1, void *e2);
+static int
+morph_br_sort_2 (void *e1, void *e2);
+/*** implementation
+ */
+unsigned int
+morph_abstract (morph *mr)
+{
+        unsigned int    n;
+        unsigned int    newsize,
+                        allsize = 0;
+        unsigned char * newdata;
+        for (n = 0 ; n < mr->flist_count ; ++n) {
+                newsize = mr->flist[n]->end - mr->flist[n]->start;
+                newdata = xcalloc (1, newsize);
+                memcpy (newdata, mr->flist[n]->mem, newsize);
+                mr->flist[n]->mem = newdata;
+                allsize += newsize;
+        }
+        return (allsize);
+}
+void
+morph_br_extend (morph *mr, int len)
+{
+        unsigned int    n,      /* temporary index */
+                        bn,     /* bblock index into bblock array (pivot) */
+                        fn;     /* function index into array (pivot) */
+        ia32_function * func;   /* function that contains the morphed bblock */
+        ia32_bblock **  brl;    /* bblock list of function, brl_count items */
+        unsigned int    brl_count;
+        if (len == 0)
+                return;
+        morph_func_sort (mr);
+        assert (mr->flist_count < 2 || mr->flist[0]->start <= mr->flist[1]->start);
+        for (fn = 0 ; fn < mr->flist_count &&
+                ia32_trace_range (mr->flist[fn]->start, mr->flist[fn]->end,
+                mr->bblock->start) == 0 ; ++fn)
+                ;
+        assert (fn < mr->flist_count);
+        /* now we have located the function the bblock-extension is occuring
+         * in, lets get all bblockes and find the modified one
+         */
+        func = mr->flist[fn];
+        brl = ia32_br_get_all (func->br_root, &brl_count);
+        morph_br_sort (brl, brl_count);
+        for (bn = 0 ; bn < brl_count && ia32_trace_range (brl[bn]->start,
+                brl[bn]->end, mr->bblock->start) == 0 ; ++bn)
+                ;
+        assert (bn < brl_count);
+        /* extend current bblock, zero extended space and then move all
+         * bblockes that come after it
+         */
+        if (len > 0)
+                func->mem = xrealloc (func->mem,
+                        func->end - func->start + len);
+        memmove (&func->mem[mr->bblock->end - func->start + len],
+                &func->mem[mr->bblock->end - func->start],
+                func->end - mr->bblock->end);
+        if (len > 0)
+                memset (&func->mem[mr->bblock->end - func->start],
+                        0x90, len);
+        mr->bblock->end += len;
+        assert (mr->bblock->start < mr->bblock->end);
+        mr->bblock->last_unused = len;
+        for (n = bn + 1 ; n < brl_count ; ++n) {
+                brl[n]->start += len;
+                brl[n]->end += len;
+        }
+        /* the bblockes are relocated for now, but still dangle by instruction.
+         * first move all following functions, then fixup first the bblockes,
+         * then all functions.
+         */
+        for (n = fn + 1 ; n < mr->flist_count ; ++n) {
+                mr->flist[n]->start += len;
+                mr->flist[n]->end += len;
+        }
+        morph_br_fix (mr, func);
+/*FIXME morph_func_fix (mr); */
+        free (brl);
+        return;
+}
+void
+morph_br_fix (morph *mr, ia32_function *func)
+{
+        unsigned int    n,
+                        bn;
+        ia32_bblock **  brl;    /* bblock list of function, brl_count items */
+        unsigned int    brl_count;
+        brl = ia32_br_get_all (func->br_root, &brl_count);
+        morph_br_sort (brl, brl_count);
+        for (bn = 0 ; bn < brl_count && ia32_trace_range (brl[bn]->start,
+                brl[bn]->end, mr->bblock->start) == 0 ; ++bn)
+                ;
+        assert (bn < brl_count);
+        for (n = 0 ; n < brl_count ; ++n) {
+                if (n == bn && brl[bn]->last_unused < 0) {
+                        fprintf (stderr, "cannot fix last instruction, negative dangling\n");
+                        continue;
+                }
+                morph_br_fix_front (mr, func, brl[n]);
+        }
+}
+static void
+morph_br_fix_front (morph *mr, ia32_function *func, ia32_bblock *br)
+{
+        switch (br->endtype) {
+        case (BR_END_IF):
+                morph_br_fix_inst (func, br, 1);
+                break;
+        case (BR_END_TRANSFER):
+                morph_br_fix_inst (func, br, 0);
+                break;
+        /* cases we can safely ignore
+         * BR_END_IF_INTER we can ignore because the control flow change
+         *   happens to another function, not at bblock level
+         */
+        case (BR_END_RET):
+        case (BR_END_PASS):
+        case (BR_END_CALL):
+        case (BR_END_FUNCPTR_CALL):
+        case (BR_END_FUNCPTR_JUMP):
+        case (BR_END_IF_INTER):
+        case (BR_END_TRANSFER_INTER):
+        case (BR_END_UNPREDICT):
+        case (BR_END_CTRL_SYSCALL):
+        case (BR_END_CTRL_SYSCALL_END):
+        default:
+                break;
+        }
+}
+static void
+morph_br_fix_inst (ia32_function *func, ia32_bblock *br, int endbr_num)
+{
+        unsigned char *         dest;
+        unsigned int            vaddr_inst;
+        unsigned int            daddr_current,
+                                daddr_correct;
+        ia32_instruction *      inst,
+                                inst_s;
+        unsigned int            displ_relofs,
+                                displ_size;
+        int                     displ_new;
+        vaddr_inst = br->end - br->last_unused - br->last_ilen;
+        dest = &func->mem[vaddr_inst - func->start];
+        inst = ia32_decode_instruction (dest, &inst_s);
+        assert (inst != NULL);
+        daddr_current = ia32_trace_control (inst, dest, vaddr_inst, NULL,
+                NULL);
+        daddr_correct = br->endbr[endbr_num]->start;
+        if (daddr_current == daddr_correct)
+                return;
+        fprintf (stderr, "_fix_inst: instruction at 0x%08x\n"
+                "\tdestaddr current = 0x%08x\n"
+                "\tdestaddr correct = 0x%08x\n"
+                "\tbblock unused    = 0x%08x\n",
+                vaddr_inst, daddr_current, daddr_correct, br->last_unused);
+        /* get the position and size of the displacement, then adjust it
+         * in-place
+         */
+        displ_relofs = ia32_has_displacement (inst, &displ_size);
+        assert (displ_relofs != 0);
+        fprintf (stderr, "\t%d bit displacement at: 0x%08x + %d\n",
+                displ_size, vaddr_inst, displ_relofs);
+        displ_new = daddr_correct;
+        displ_new -= vaddr_inst + inst->length;
+        fprintf (stderr, "\told displacement: 0x%08x\n"
+                "\tnew displacement: 0x%08x\n",
+                inst->opc.displ_value, displ_new);
+        assert (morph_displ_boundcheck (displ_new, displ_size) == 0);
+        ia32_encode_value (dest + displ_relofs, displ_size, displ_new);
+        return;
+}
+int
+morph_displ_boundcheck (int displ_val, unsigned int displ_size)
+{
+        int     bytes;
+        int     valid_up[] = { 0, 0x7f, 0x7fff, 0, 0x7fffffff };
+        int     valid_down[] = { 0, -0x80, -0x8000, 0, -0x80000000 };
+        bytes = ia32_bit_to_byte (displ_size);
+        if (displ_val > valid_up[bytes])
+                return (1);
+        if (displ_val < valid_down[bytes])
+                return (1);
+        return (0);
+}
+void
+morph_func_fix (morph *mr)
+{
+}
+void
+morph_func_sort (morph *mr)
+{
+        qsort (mr->flist, mr->flist_count, sizeof (mr->flist[0]),
+                (int (*)(const void *,const void*)) morph_func_sort_2);
+}
+static int
+morph_func_sort_2 (void *e1, void *e2)
+{
+        ia32_function * f1 = *((ia32_function **) e1);
+        ia32_function * f2 = *((ia32_function **) e2);
+        if (f1->start == f2->start)
+                return (0);
+        if (f1->start < f2->start)
+                return (-1);
+        return (1);
+}
+void
+morph_br_sort (ia32_bblock **brlist, unsigned int br_len)
+{
+        qsort (brlist, br_len, sizeof (brlist[0]),
+                (int (*)(const void *, const void *)) morph_br_sort_2);
+}
+static int
+morph_br_sort_2 (void *e1, void *e2)
+{
+        ia32_bblock *   b1 = *((ia32_bblock **) e1);
+        ia32_bblock *   b2 = *((ia32_bblock **) e2);
+        if (b1->start == b2->start)
+                return (0);
+        if (b1->start < b2->start)
+                return (-1);
+        return (1);
+}
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/burneye2/morph.c
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/burneye2/morph.c b/other/burneye2/morph.c new file mode 100644 index 0000000..3fcc71c --- /dev/null +++ b/other/burneye2/morph.c
@@ -0,0 +1,324 @@
	1	/* morph.c - burneye code morphing functionality
	2	*
	3	* by scut
	4	*/
	5
	6	#include <stdlib.h>
	7	#include <string.h>
	8	#include <assert.h>
	9
	10	#include <common.h>
	11	#include <ia32-decode.h>
	12	#include <ia32-function.h>
	13	#include <morph.h>
	14
	15
	16	/*** static prototypes
	17	*/
	18
	19	static void
	20	morph_br_fix_front (morph mr, ia32_function func, ia32_bblock *br);
	21
	22	static void
	23	morph_br_fix_inst (ia32_function func, ia32_bblock br, int endbr_num);
	24
	25	static int
	26	morph_func_sort_2 (void e1, void e2);
	27
	28	static int
	29	morph_br_sort_2 (void e1, void e2);
	30
	31
	32	/*** implementation
	33	*/
	34
	35	unsigned int
	36	morph_abstract (morph *mr)
	37	{
	38	unsigned int n;
	39	unsigned int newsize,
	40	allsize = 0;
	41	unsigned char * newdata;
	42
	43
	44	for (n = 0 ; n < mr->flist_count ; ++n) {
	45	newsize = mr->flist[n]->end - mr->flist[n]->start;
	46
	47	newdata = xcalloc (1, newsize);
	48	memcpy (newdata, mr->flist[n]->mem, newsize);
	49	mr->flist[n]->mem = newdata;
	50
	51	allsize += newsize;
	52	}
	53
	54	return (allsize);
	55	}
	56
	57
	58	void
	59	morph_br_extend (morph *mr, int len)
	60	{
	61	unsigned int n, /* temporary index */
	62	bn, /* bblock index into bblock array (pivot) */
	63	fn; /* function index into array (pivot) */
	64	ia32_function * func; /* function that contains the morphed bblock */
	65	ia32_bblock ** brl; /* bblock list of function, brl_count items */
	66	unsigned int brl_count;
	67
	68
	69	if (len == 0)
	70	return;
	71
	72	morph_func_sort (mr);
	73	assert (mr->flist_count < 2 \|\| mr->flist[0]->start <= mr->flist[1]->start);
	74
	75	for (fn = 0 ; fn < mr->flist_count &&
	76	ia32_trace_range (mr->flist[fn]->start, mr->flist[fn]->end,
	77	mr->bblock->start) == 0 ; ++fn)
	78	;
	79	assert (fn < mr->flist_count);
	80
	81	/* now we have located the function the bblock-extension is occuring
	82	* in, lets get all bblockes and find the modified one
	83	*/
	84	func = mr->flist[fn];
	85	brl = ia32_br_get_all (func->br_root, &brl_count);
	86	morph_br_sort (brl, brl_count);
	87
	88	for (bn = 0 ; bn < brl_count && ia32_trace_range (brl[bn]->start,
	89	brl[bn]->end, mr->bblock->start) == 0 ; ++bn)
	90	;
	91	assert (bn < brl_count);
	92
	93	/* extend current bblock, zero extended space and then move all
	94	* bblockes that come after it
	95	*/
	96	if (len > 0)
	97	func->mem = xrealloc (func->mem,
	98	func->end - func->start + len);
	99
	100	memmove (&func->mem[mr->bblock->end - func->start + len],
	101	&func->mem[mr->bblock->end - func->start],
	102	func->end - mr->bblock->end);
	103
	104	if (len > 0)
	105	memset (&func->mem[mr->bblock->end - func->start],
	106	0x90, len);
	107
	108
	109	mr->bblock->end += len;
	110	assert (mr->bblock->start < mr->bblock->end);
	111	mr->bblock->last_unused = len;
	112
	113	for (n = bn + 1 ; n < brl_count ; ++n) {
	114	brl[n]->start += len;
	115	brl[n]->end += len;
	116	}
	117
	118	/* the bblockes are relocated for now, but still dangle by instruction.
	119	* first move all following functions, then fixup first the bblockes,
	120	* then all functions.
	121	*/
	122	for (n = fn + 1 ; n < mr->flist_count ; ++n) {
	123	mr->flist[n]->start += len;
	124	mr->flist[n]->end += len;
	125	}
	126
	127	morph_br_fix (mr, func);
	128	/FIXME morph_func_fix (mr); /
	129
	130	free (brl);
	131
	132	return;
	133	}
	134
	135
	136	void
	137	morph_br_fix (morph mr, ia32_function func)
	138	{
	139	unsigned int n,
	140	bn;
	141	ia32_bblock ** brl; /* bblock list of function, brl_count items */
	142	unsigned int brl_count;
	143
	144
	145	brl = ia32_br_get_all (func->br_root, &brl_count);
	146	morph_br_sort (brl, brl_count);
	147
	148	for (bn = 0 ; bn < brl_count && ia32_trace_range (brl[bn]->start,
	149	brl[bn]->end, mr->bblock->start) == 0 ; ++bn)
	150	;
	151	assert (bn < brl_count);
	152
	153	for (n = 0 ; n < brl_count ; ++n) {
	154	if (n == bn && brl[bn]->last_unused < 0) {
	155	fprintf (stderr, "cannot fix last instruction, negative dangling\n");
	156	continue;
	157	}
	158
	159	morph_br_fix_front (mr, func, brl[n]);
	160	}
	161	}
	162
	163
	164	static void
	165	morph_br_fix_front (morph mr, ia32_function func, ia32_bblock *br)
	166	{
	167	switch (br->endtype) {
	168	case (BR_END_IF):
	169	morph_br_fix_inst (func, br, 1);
	170	break;
	171
	172	case (BR_END_TRANSFER):
	173	morph_br_fix_inst (func, br, 0);
	174	break;
	175
	176	/* cases we can safely ignore
	177	* BR_END_IF_INTER we can ignore because the control flow change
	178	* happens to another function, not at bblock level
	179	*/
	180	case (BR_END_RET):
	181	case (BR_END_PASS):
	182	case (BR_END_CALL):
	183	case (BR_END_FUNCPTR_CALL):
	184	case (BR_END_FUNCPTR_JUMP):
	185	case (BR_END_IF_INTER):
	186	case (BR_END_TRANSFER_INTER):
	187	case (BR_END_UNPREDICT):
	188	case (BR_END_CTRL_SYSCALL):
	189	case (BR_END_CTRL_SYSCALL_END):
	190	default:
	191	break;
	192	}
	193	}
	194
	195
	196	static void
	197	morph_br_fix_inst (ia32_function func, ia32_bblock br, int endbr_num)
	198	{
	199	unsigned char * dest;
	200	unsigned int vaddr_inst;
	201	unsigned int daddr_current,
	202	daddr_correct;
	203	ia32_instruction * inst,
	204	inst_s;
	205	unsigned int displ_relofs,
	206	displ_size;
	207	int displ_new;
	208
	209
	210	vaddr_inst = br->end - br->last_unused - br->last_ilen;
	211	dest = &func->mem[vaddr_inst - func->start];
	212	inst = ia32_decode_instruction (dest, &inst_s);
	213	assert (inst != NULL);
	214
	215	daddr_current = ia32_trace_control (inst, dest, vaddr_inst, NULL,
	216	NULL);
	217	daddr_correct = br->endbr[endbr_num]->start;
	218
	219	if (daddr_current == daddr_correct)
	220	return;
	221
	222	fprintf (stderr, "_fix_inst: instruction at 0x%08x\n"
	223	"\tdestaddr current = 0x%08x\n"
	224	"\tdestaddr correct = 0x%08x\n"
	225	"\tbblock unused = 0x%08x\n",
	226	vaddr_inst, daddr_current, daddr_correct, br->last_unused);
	227
	228	/* get the position and size of the displacement, then adjust it
	229	* in-place
	230	*/
	231	displ_relofs = ia32_has_displacement (inst, &displ_size);
	232	assert (displ_relofs != 0);
	233
	234	fprintf (stderr, "\t%d bit displacement at: 0x%08x + %d\n",
	235	displ_size, vaddr_inst, displ_relofs);
	236
	237	displ_new = daddr_correct;
	238	displ_new -= vaddr_inst + inst->length;
	239	fprintf (stderr, "\told displacement: 0x%08x\n"
	240	"\tnew displacement: 0x%08x\n",
	241	inst->opc.displ_value, displ_new);
	242
	243	assert (morph_displ_boundcheck (displ_new, displ_size) == 0);
	244	ia32_encode_value (dest + displ_relofs, displ_size, displ_new);
	245
	246	return;
	247	}
	248
	249
	250	int
	251	morph_displ_boundcheck (int displ_val, unsigned int displ_size)
	252	{
	253	int bytes;
	254	int valid_up[] = { 0, 0x7f, 0x7fff, 0, 0x7fffffff };
	255	int valid_down[] = { 0, -0x80, -0x8000, 0, -0x80000000 };
	256
	257
	258	bytes = ia32_bit_to_byte (displ_size);
	259
	260	if (displ_val > valid_up[bytes])
	261	return (1);
	262
	263	if (displ_val < valid_down[bytes])
	264	return (1);
	265
	266	return (0);
	267	}
	268
	269
	270	void
	271	morph_func_fix (morph *mr)
	272	{
	273	}
	274
	275
	276	void
	277	morph_func_sort (morph *mr)
	278	{
	279	qsort (mr->flist, mr->flist_count, sizeof (mr->flist[0]),
	280	(int ()(const void ,const void*)) morph_func_sort_2);
	281	}
	282
	283
	284	static int
	285	morph_func_sort_2 (void e1, void e2)
	286	{
	287	ia32_function * f1 = ((ia32_function *) e1);
	288	ia32_function * f2 = ((ia32_function *) e2);
	289
	290
	291	if (f1->start == f2->start)
	292	return (0);
	293
	294	if (f1->start < f2->start)
	295	return (-1);
	296
	297	return (1);
	298	}
	299
	300
	301	void
	302	morph_br_sort (ia32_bblock **brlist, unsigned int br_len)
	303	{
	304	qsort (brlist, br_len, sizeof (brlist[0]),
	305	(int ()(const void , const void *)) morph_br_sort_2);
	306	}
	307
	308
	309	static int
	310	morph_br_sort_2 (void e1, void e2)
	311	{
	312	ia32_bblock * b1 = ((ia32_bblock *) e1);
	313	ia32_bblock * b2 = ((ia32_bblock *) e2);
	314
	315
	316	if (b1->start == b2->start)
	317	return (0);
	318
	319	if (b1->start < b2->start)
	320	return (-1);
	321
	322	return (1);
	323	}
	324